CVE-2023-22247 : Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are af

Adobe Commerce versions 2.4.4-p2 (and earlier) and 2.4.5-p1 (and earlier) are affected by an XML Injection vulnerability that could lead to arbitrary file system read. An unauthenticated attacker can force the application to make arbitrary requests via injection of arbitrary URLs. Exploitation of this issue does not require user interaction.

Published 2023-03-27 21:15:11

Updated 2023-04-04 20:51:40

Source Adobe Systems Incorporated

View at NVD, CVE.org

Products affected by CVE-2023-22247

Adobe » Magento Open Source
Versions before (<) 2.4.4
cpe:2.3:a:adobe:magento_open_source:*:*:*:*:*:*:*:*
Matching versions
Adobe » Magento Open Source » Version: 2.4.5
cpe:2.3:a:adobe:magento_open_source:2.4.5:-:*:*:*:*:*:*
Matching versions
Adobe » Magento Open Source » Version: 2.4.4 Update P1
cpe:2.3:a:adobe:magento_open_source:2.4.4:p1:*:*:*:*:*:*
Matching versions
Adobe » Magento Open Source » Version: 2.4.4
cpe:2.3:a:adobe:magento_open_source:2.4.4:-:*:*:*:*:*:*
Matching versions
Adobe » Magento Open Source » Version: 2.4.5 Update P1
cpe:2.3:a:adobe:magento_open_source:2.4.5:p1:*:*:*:*:*:*
Matching versions
Adobe » Magento Open Source » Version: 2.4.4 Update P2
cpe:2.3:a:adobe:magento_open_source:2.4.4:p2:*:*:*:*:*:*
Matching versions
Adobe » Commerce
Versions before (<) 2.4.4
cpe:2.3:a:adobe:commerce:*:*:*:*:*:*:*:*
Matching versions
Adobe » Commerce » Version: 2.4.4
cpe:2.3:a:adobe:commerce:2.4.4:-:*:*:*:*:*:*
Matching versions
Adobe » Commerce » Version: 2.4.5
cpe:2.3:a:adobe:commerce:2.4.5:-:*:*:*:*:*:*
Matching versions
Adobe » Commerce » Version: 2.4.4 Update P1
cpe:2.3:a:adobe:commerce:2.4.4:p1:*:*:*:*:*:*
Matching versions
Adobe » Commerce » Version: 2.4.5 Update P1
cpe:2.3:a:adobe:commerce:2.4.5:p1:*:*:*:*:*:*
Matching versions
Adobe » Commerce » Version: 2.4.4 Update P2
cpe:2.3:a:adobe:commerce:2.4.4:p2:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-22247

EPSS FAQ

0.20%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 58 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-22247

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	Adobe Systems Incorporated
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-22247

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

Assigned by: psirt@adobe.com (Primary)

References for CVE-2023-22247

https://helpx.adobe.com/security/products/magento/apsb23-17.html

Adobe Security Bulletin
Release Notes;Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-22247

Products affected by CVE-2023-22247

Exploit prediction scoring system (EPSS) score for CVE-2023-22247

CVSS scores for CVE-2023-22247

CWE ids for CVE-2023-22247

References for CVE-2023-22247